lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051220224317.A37487@ubzr.zsa.bet>
Date: Wed Dec 21 05:22:55 2005
From: measl at mfn.org (J.A. Terranson)
Subject: Re: Guidance


On Wed, 21 Dec 2005, Jason Coombs wrote:

> Come now, my friend, you know very well that there is no such thing in
> computing unless you happened to be monitoring all internal and external
> I/O of the computing device in question at the time the alleged 'data'
> were allegedly 'processed' by that computing device.

For the sake of the audience, allow me to clarify something that's
probably not obvious to them as observers:

	Our discussion here is based upon the premise of "Expert Witness"
	rules under the FRCP (federal rules).  Under this system, a
	so-called "Expert Witness" may provide "evidence" which would
	otherwise be impermissable, as this testimony is by it's very
	definition, an opinion.  Clearly, evidence provided under the
	Expert Witness rules are very dangerous, as they are easily
	(and often, in both my opinion and I believe in Jason's
	opinion as well) abused.  In fact, this is where the famous
	"Dueling Experts" tales come from.

I will firmly agree that no expert should EVER testify that they are
offering up raw facts for digestion - the law is quite clear that this
isn't even (in theory) allowed.  Nevertheless, it does sneak in, and yes,
it does need to die - both in the computer forensics cases and in every
other case where any form of Expert Witness is utilized.

That said, an expert opinion may have real evidentiary value, as you know
(or you wouldn't be making your living as another Expert For Hire, like
the rest of us ;-)  The trick is to practice honestly and within the scope
of what is possible, rather than just making it all up as you go along.

> You put on a hat labeled 'computer forensic examiner' as a necessary
> matter of business practice, in order for other people to understand
> what you are when you are serving that role in some forensic situation.

No.  I put on my "Expert Witness hat" because the Court requires it for me
to offer testimony.  I often offer evidence without needing to be an
"expert" - in those cases I am providing evidence of a physical nature
which is not reasonably open to dispute.

> But by wearing such title, and by engaging in such business, you are
> forced to make gigantic leaps of imagination in order to offer opinions
> as to your finding of 'accurate and completely supporting information'
> after your forensic tools and your knowledge of software give you a
> glimpse of the past that is beyond the capability of mere mortals.

I think you are confusing me with another so-called examiner.  I forget
his name at the moment, but I *think* it had a W in it? ;-)

I do not offer evidence that approaches fantasy, or that requires leaps of
faith.  I can provide the framework, such as "At the time I examined the
computer in question, I checked the BIOS and found it to be accurate
within 14 seconds of a known reference time."  And evidence like "I found
evidence that certain programs were installed on this computer, i.e.,
<long list goes here>", and "I found remnants of photographic images in
the browser cache which are known to me to be pictures of a pre-teen child
named...".  You will not EVER hear ME testifying that an image was put on
a computer by a specific person.  I may testify that a certain login was
in use at the time the program was installed, but, as you so correctly
point out, I cannot possibly KNOW who loaded that program.

This is Ethical Practice.  This is how we practice here, and it is the
reason we are now the largest forensic form in the midwest.


> The problem, and the reason the entire industry needs to die, is that
> this creates a situation in which the side with the best imagination
> wins.

Again, wrong.  A competent attorney (often guided by someone like you or
me), can make mincemeat out of one of these sleazy
make-up-what-they-want-to-hear "practicioners".

Obviously, there is nothing I can do to help a client who has incompetent
counsel (rare but it does happen), nor is there anything I can do to
assist on a case I don't know about - but I can make big differences in
those cases I work - and I *do*.  Often!  This is why I support what you
are *trying* to do, although I believe you are misguided in your approach.

> It doesn't help the discovery of truth for people with forensic tools
> and talent to suggest that their imagination is superior and therefore
> can prove conclusively what happened in the past.

I agree.  And ANYONE who claims (1) to be a competent forensic
computer examiner, and (2) claims outrageous things like your postulate
above, should be not only prohibited from practicing anything at all
(especially any kind of forensics!), but they should be forced to be on
the receiving end of this kind of malpractice!

> No matter what safeguards you or the rest of the computer forensics
> industry develop, I will still be able to defeat your imagination
> because yours is limited by budgets and time constraints, whereas I am
> only limited by the lengths to which I am willing to go to deposit fake
> evidence and secretly control other people's computers.

The deliberate planting of evidence is a problem universally, and is not
peculiar to the computer forensics industry by any means.  I am not even
going to bother addressing that point here, as it's a completely unrelated
issue, and you *know* this.

> Given the desire to do so, any motivated adversary could cause your
> computers to contain 'accurate and completely supporting information' of
> their choosing, without possibility of detection after-the-fact.

ABSOLUTELY CORRECT!  And the competent computer examiner will make
absolutely certain that this is communicated to all parties at all times.

> It is
> only badly-executed intrusions or intruders caught-in-the-act that
> result in the owner of a computer system discovering that their security
> has been compromised.

While I won't go quite that far, your basic premise is sound.

> This is the end result of the ability to execute arbitrary code or gain
> unauthorized physical or logical access to vulnerable computer systems.

Absolutely.

> When the 'computer forensics' industry requires of each practitioner a
> written and spoken caveat to this effect before and after every report
> that an examiner delivers to a client, that's when there might be some
> justification for the industry to exist at all.

Again, you are doing the Republican Knee Jerk Jason :-)

Just because the industry has unscrupulous practitioners does not mean the
whole industry is better off dead.  If you extended this argument to every
other industry with similar situations (lawyers, doctors, etc.), there
would be NO "practitioners" of any kind, anywhere at all.

No Jason, competent examiners have a very solid future, as there is a lot
of work for us.  We make a difference in peoples lives *every day* - and I
am very proud to be in that position!  We make bad divorces end faster,
with less pain and trauma to all involved.  We occasionally prevent bad
prosecutions for things we wish didn't happen, and yes, sometimes we find
ourselves pushing for a prosecution even though you wish it were not so.

The simple truth is that anyone with a conscience will find themselves
alternately torn and proud by whatever they do - nothing is without
consequences.  We "sell" our service by pointing out that we save a LOT of
money on civil litigation.  We don't see a lot of criminal defense work
yet, for two reasons: (1) In the 8th circuit at least (not so in many
other courts though), the prosecutions labs were both trained by _us_, and
(b) therefore understand the limitations of the technology.  They are not
likely to prosecute a CP case that isn't completely cut and dried: hell,
Ive personally seen them deep six cases that _I_ would have gone forward
on.  They are responsible here, and it shows.

For those cases that do go forward, defense attorneys are just now
learning about this, and have not yet really gotten comfortable with it -
this is slowly changing.  Lastly, we have a company policy that very
strongly discourages criminal defense work: we let the lawyers know that
we will not work defense cases where the defendant is guilty.  And that
opinion is ours to make alone.  After all that, criminal defense is
unusual for us - but if we _do_ take a criminal case, the defendant is in
good hands: we believe they are innocent (or we wouldn't be there to start
with), and they have an examiner who can make the very arguments we're now
discussing, and who was responsible for a large portion of the training of
the other side.  It works.

> Until then, we're all a bunch of self-serving glory hounds who can't
> find anything better to do with life, and who don't mind putting other
> people at risk for our own short-term benefit.

Speak for yourself - clearly, this is not the premise we work on.  We take
the responsibility of this tremendously seriously.  We have regular
(weekly) Ethic Meetings to discuss all cases and possible implications, we
have multiple layers of safeguards built into the entire system at every
conceivable place something could go wrong.  Does that mean we're perfect,
and that we will never have a case "go south"?  No.  But it does mean that
if the case goes south, it won't be because we just "made something up"!

> We absolutely must be stopped. But that doesn't mean I will be turning
> away jobs myself.

Yes.  I note that you are as busy as we are - in spite of wanting the
"entire system to die" :-)

> As long as this booming market keeps making me rich, I'll keep doing my
> job to the best of my ability.

So, you're just in it for the money?  Maybe thats why you're so adamant
about this?  We turn down work all the time.  Good paying work.  We want
to be able to sleep at night.

> But I won't be happy
> about it until the nonsense stops and people start thinking rationally
> about how silly it is to trust computer data and call it 'evidence' --
> it is digital dumpster diving, and the hard drive are garbage cans.

You won't be happy - but you'll still do it?  Just for the money?  Wow!
I'm sorry jason!  Really.  I thought you were above that - I really did.
We've talked any number of times offline, and I thought you were
completely on the same page we were.

> Be careful which garbage can you stand next to, because proximity to the
> garbage is now effectively a crime thanks to flawed computer forensics.
> We are all at risk unnecessarily, and full disclosure of the true nature
> of that risk is our only protection against persons of superior
> imagination.


No.  Not due to the flawed forensics. Due to incompetent prosecutors.
And occasionally due to incompetent assistance from an incompetent
examiner.

Like us, you have a personal responsibility to see to it that these
injustices are not perpetuated.  That you would take work knowing it was
feeding evidence in support of the wrong side troubles me greatly Jason.

> Regards,

> Jason Coombs
> jasonc@...ence.org

//Alif

alif@...tedforensics.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ